1. Who We Are
Cognisafe LTD is the data controller for personal data collected through the Cognisafe platform at cognisafe.uk.
Cognisafe LTD
Registered in England and Wales
Email: hello@cognisafe.uk
Where we process personal data within LLM requests and responses on behalf of our customers, we act as a data processor and the customer acts as the data controller. This is described in Section 4.
2. Data We Collect
We collect the following categories of personal data:
| Category | Examples | Lawful basis |
|---|---|---|
| Account data | Name, email address, profile photo (via Clerk authentication) | Contract — necessary to provide your account |
| Billing data | Payment method details, billing address, transaction history (processed by Stripe) | Contract — necessary to process your subscription |
| Usage data | Feature usage, page views, API call counts, dashboard interactions | Legitimate interests — to improve the Service |
| Technical data | IP address, browser type, device type, session identifiers | Legitimate interests — security and fraud prevention |
| Communications | Emails and messages you send to us | Legitimate interests — to respond to your enquiry |
| API key metadata | Key names, creation dates, last-used timestamps (not the key values themselves) | Contract — necessary to manage your API access |
3. How We Use Your Data
We use the data we collect to:
- Create and manage your account and authenticate your identity
- Process payments and manage your subscription via Stripe
- Provide, maintain, and improve the Cognisafe platform
- Send transactional emails (account confirmation, billing receipts, security alerts)
- Monitor platform security and prevent fraud or abuse
- Comply with our legal obligations under UK law
- Respond to support requests and communications
We do not sell your personal data to third parties. We do not use your data for automated profiling that produces legal or similarly significant effects.
4. Data We Process on Your Behalf
When you use the Service to monitor LLM applications, you submit Customer Data to us — including LLM prompts, model responses, and metadata about those requests. This data may contain personal data relating to your own users.
In respect of Customer Data, we act solely as a data processor on your instructions. We:
- Process Customer Data only to provide the Service (safety scoring, logging, governance analysis)
- Do not use Customer Data to train our own models or for any purpose beyond the Service
- Apply technical and organisational security measures appropriate to the risk
- Delete Customer Data within 90 days of account termination
- Notify you without undue delay if we become aware of a personal data breach affecting Customer Data
Enterprise customers requiring a formal Data Processing Agreement (DPA) should contact us at hello@cognisafe.uk.
As a customer using the Service to process personal data of your own users, you are responsible for ensuring you have an appropriate lawful basis to do so and that your privacy notices reflect this processing.
5. Third-Party Services
We share data with the following third-party processors to operate the Service:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Clerk | Authentication & identity | Name, email, session data | US (SCCs applied) |
| Stripe | Payment processing | Name, email, payment method details | US/EU (SCCs applied) |
| Railway | Cloud infrastructure & hosting | All platform data at rest and in transit | US (SCCs applied) |
| OpenAI | AI safety scoring (via PyRIT) | LLM prompt/response text for scoring only | US (SCCs applied) |
| Resend | Transactional email (if configured) | Email address, message content | US (SCCs applied) |
We require all processors to maintain appropriate security standards and to process data only on our documented instructions.
Important note on OpenAI: When safety scoring is active, LLM prompt and response text is sent to OpenAI's API for classification. This data is used solely for scoring and is subject to OpenAI's Privacy Policy. Free-tier accounts do not have safety scoring enabled and their LLM content is not sent to OpenAI.
6. Data Retention
- Account data: Retained for the duration of your account and deleted within 30 days of account closure
- Customer Data (LLM requests, responses, safety scores): Retained for the duration of your subscription plus 90 days, then permanently deleted
- Billing records: Retained for 7 years as required by UK financial regulations
- Usage logs: Retained for 12 months for security monitoring, then deleted
You may request early deletion of your Customer Data by contacting us at hello@cognisafe.uk. We will action deletion requests within 30 days.
7. Your Rights
Under UK GDPR you have the following rights in relation to your personal data:
Right of access
Request a copy of the personal data we hold about you
Right to rectification
Request correction of inaccurate or incomplete data
Right to erasure
Request deletion of your data ('right to be forgotten')
Right to restrict
Request we limit processing of your data
Right to portability
Receive your data in a structured, machine-readable format
Right to object
Object to processing based on legitimate interests
Right to withdraw consent
Where processing is based on consent, withdraw it at any time
Right to complain
Lodge a complaint with the ICO at ico.org.uk
To exercise any of these rights, contact us at hello@cognisafe.uk. We will respond within one calendar month. We may need to verify your identity before fulfilling a request.
8. International Data Transfers
Some of our third-party processors operate in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).
10. Security
We implement technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:
- TLS encryption for all data in transit
- Encryption at rest for database storage
- Authentication via Clerk with support for multi-factor authentication
- API key hashing — we store only key prefixes, never plaintext keys
- Role-based access controls for internal systems
- Regular security assessments using our own red-team tooling
No method of transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately at hello@cognisafe.uk.
11. Children
The Service is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Where changes are material, we will notify you by email or via an in-app notice at least 14 days before the changes take effect.
The date at the top of this page indicates when the policy was last updated. We encourage you to review this policy periodically.
13. Contact & DPO
For any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:
Cognisafe LTD — Privacy Enquiries
Email: hello@cognisafe.uk
Website: cognisafe.uk
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.